Amazon Ad

Featured Post

Sunday, February 01, 2009

Debugging security with sectrace

A new command called "sectrace" can help debug security problems (e.g. user cannot chown a file with NT ACL).

sectrace add -a -path /vol/software

will produce meesages such as these:

Sun Feb 1 13:10:52 IST [jim: sectrace.filter.allowed:info]: [sectrace index: 2] Access allowed because 'Synchronize, Read Attributes' permission (0x100080) is granted on file or directory (Access allowed by an explicit access control entry) - Status: 1:58720452:0:0 - 10.1.20.107 - NT user name: support\administrator - UNIX user name: root(0) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/software/

Typically there is no need to use -a since you only want to debug DENY replies.